We recently has a client with some LDAP performance issues, and had a need to tune how WebLogic was querying their LDAP repository. In WebLogic, the simplest way to do this is with their LDAP Filters. While trying to explain how to do this, I was struck by the lack of clear documentation on what exactly these filters are and why on earth you would need them... The best documentation was in the WebCenter guide, but it was still a bit light on the details.
Firstly, all these filters use LDAP query syntax. For those familiar with SQL, LDAP query syntax looks pretty dang weird... mainly because it uses Prefix, or Polish notation to construct the queries. So if you wanted all Contact objects in the LDAP repository with a Common Name that began with "Joe", your query would look like this:
Notice how the ampersand AND operator is in the front, and the conditionals are in their own parenthesis. Also note the * wildcard. If you wanted to grab all Group objects that had either Marketing or Sales in the name, the query would look like this:
Notice that the pipe OR operator prefixes the conditionals checking for Marketing or Sales in the group. Of course, this would not be a great query to run frequently... substring searches are slow, and multiple substring searches are even worse!
Below are what these filters do, and why I think you'd need to change them...
All Users Filter: This is basically the initial filter to grab all "user" objects in the entire repository. LDAP stores all kinds of objects (groups, contacts, computers, domains), and this is a simple query to narrow the list of user objects from the collection of all objects. A common setting is simply:
(objectclass=user) (&(objectCategory=person)(objectClass=user)) (sAMAccountType=805306368)
Users From Name Filter: This is a query to find a user object based on the name of the user. This is a sub-filter based on the previous All Users Filter to grab one specific person based on the user name. You would sometimes change this based on what single sign on system you are using, some use the common name as the official user ID, whereas other systems use the sAMAccountName. The %u token is the name being looked up. One of these two usually works:
All Groups Filter: Similar to the all names filter, this filter narrows the list of all objects in the LDAP repository to just the list of groups. By default, most applications just grab all group objects with this filter:
However, if you have a particularly large LDAP repository, this can be a performance problem. We usually don't need all the groups defined in the repository, we just need the ones with a specific name:
Or the ones under a specific organizational unit:
Then the list of group objects to query based on name is much smaller and faster.
Group From Name Filter: Similar to the User From Name Filter, this filter looks up a specific group by the name (the %g token). Again, thie value here usually depends on what single sing on solution you are using, but one of these two usually works:
Hopefully that clears things up a bit! If you have performance problems, your best bet is to modify the All Groups Filter and the All Users Filter to only grab the groups and users relevant to your specific app.